In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/167430/Confluence-OGNL-Injection-Remote-Code-Execution.html | Exploit Third Party Advisory VDB Entry |
http://packetstormsecurity.com/files/167431/Through-The-Wire-CVE-2022-26134-Confluence-Proof-Of-Concept.html | Third Party Advisory VDB Entry |
http://packetstormsecurity.com/files/167432/Confluence-OGNL-Injection-Proof-Of-Concept.html | Third Party Advisory VDB Entry |
http://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html | Exploit Third Party Advisory VDB Entry |
https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html | |
https://jira.atlassian.com/browse/CONFSERVER-79016 | Patch Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
08 Aug 2023, 14:22
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-917 |
30 Jun 2022, 06:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
14 Jun 2022, 14:38
Type | Values Removed | Values Added |
---|---|---|
First Time |
Atlassian
Atlassian confluence Data Center Atlassian confluence Server |
|
CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 9.8 |
CPE | cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:* cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:* cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:* cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:* |
|
CWE | CWE-74 | |
References | (MISC) http://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html - Exploit, Third Party Advisory, VDB Entry | |
References | (MISC) http://packetstormsecurity.com/files/167431/Through-The-Wire-CVE-2022-26134-Confluence-Proof-Of-Concept.html - Third Party Advisory, VDB Entry | |
References | (MISC) http://packetstormsecurity.com/files/167430/Confluence-OGNL-Injection-Remote-Code-Execution.html - Exploit, Third Party Advisory, VDB Entry | |
References | (MISC) https://jira.atlassian.com/browse/CONFSERVER-79016 - Patch, Vendor Advisory | |
References | (MISC) http://packetstormsecurity.com/files/167432/Confluence-OGNL-Injection-Proof-Of-Concept.html - Third Party Advisory, VDB Entry |
08 Jun 2022, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
08 Jun 2022, 09:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
03 Jun 2022, 22:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-06-03 22:15
Updated : 2023-12-10 14:22
NVD link : CVE-2022-26134
Mitre link : CVE-2022-26134
CVE.ORG link : CVE-2022-26134
JSON object : View
Products Affected
atlassian
- confluence_server
- confluence_data_center
CWE
CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')